Post ASTouLXMvjrEtzUXAG by timhowes@mastodon.social
(DIR) More posts by timhowes@mastodon.social
(DIR) Post #ASTleOzo0HqT8JUwdc by tek@freeradical.zone
2023-02-08T19:22:08Z
0 likes, 0 repeats
My new YubiKey 5C NFC arrived today, complete with happy stickers.
(DIR) Post #ASTm97rVky80yFGigq by keifer@freeradical.zone
2023-02-08T19:27:38Z
0 likes, 0 repeats
@tek Nice fit đ Planning on splurging on two of the new YubiKey 'Security Key NFC' when they become available. Will be my first time trying security keys.
(DIR) Post #ASTmHyZleT8omCBnkm by tek@freeradical.zone
2023-02-08T19:29:16Z
0 likes, 0 repeats
@keifer This might be that key. I preordered a little while ago and it just shipped.
(DIR) Post #ASTnCL2HKk1MeQOuHY by keifer@freeradical.zone
2023-02-08T19:39:28Z
0 likes, 0 repeats
@tek Waiting for the pre-orders to open here. I see it being the missing piece for security, but some of my most important services still not ready.
(DIR) Post #ASTnwLerLtUTtyNzNI by timhowes@mastodon.social
2023-02-08T19:47:09Z
0 likes, 0 repeats
@tek @keifer The âsecurity keyâ version is just for FIDO2/U2F authentication. The Yubikey 5 has additional functionality like OTP, PGP, and smart card protocols.
(DIR) Post #ASTobePqW2BNx23f1s by tek@freeradical.zone
2023-02-08T19:55:13Z
0 likes, 0 repeats
@keifer That's the truth of it. I've started incrementally adding it to services where I can, but many just don't take it yet.
(DIR) Post #ASTomu3ehPAheL2nLc by tek@freeradical.zone
2023-02-08T19:57:17Z
0 likes, 0 repeats
@timhowes @keifer I got it first for OTP, to replace my old keys which either didn't have NFC or didn't have USB-C. The rest is icing on the cake.
(DIR) Post #ASTouL3aiS2RPdYkka by keifer@freeradical.zone
2023-02-08T19:51:25Z
0 likes, 0 repeats
@timhowes @tek So, is logging in with your 2FA as simple as going to a website on your laptop (for example), it asks for your hardware key, and then you have to insert into laptop or does tapping to NFC enable phone suffice? Or must I go for Yubikey 5 for that functionality?(Sorry if it's a stupid question!)
(DIR) Post #ASTouLXMvjrEtzUXAG by timhowes@mastodon.social
2023-02-08T19:57:00Z
0 likes, 0 repeats
@tek @keifer Yes, thatâs exactly what itâs good for. You can use it as a strong second factor for 2FA. Either insert in your laptop and tap the button or use NFC for your phone. Some websites may have a fully âpasswordlessâ login flow where you insert the key and use a PIN or biometrics to activate the key and log in.
(DIR) Post #ASTouM3yyTwgX8ka00 by tek@freeradical.zone
2023-02-08T19:58:38Z
0 likes, 0 repeats
@timhowes @keifer Also, support for that is growing quickly with Apple's new support of passkeys in recent OS updates. It's the same protocol (as I understand it).
(DIR) Post #ASTozJata9geK7VhQG by keifer@freeradical.zone
2023-02-08T19:59:31Z
0 likes, 0 repeats
@tek @timhowes Right, really looking forward to joining the revolution of these security devices called keys đ How things go full circle!
(DIR) Post #ASTp9M6H7SMwzYyXgm by tek@freeradical.zone
2023-02-08T20:01:17Z
0 likes, 0 repeats
@keifer @timhowes Right? đ What I like here is that someone would have to physically break into my use to log into the websites I've protected with it. I imagine a lot of LastPass users would appreciate that extra layer.
(DIR) Post #ASTpE09Q9a0gMif7Zo by keifer@freeradical.zone
2023-02-08T20:02:11Z
0 likes, 0 repeats
@tek @timhowes A lot of LastPass users would appreciate ANY layer đ¤Ż
(DIR) Post #ASTpGDqkC14FQkz9cm by tek@freeradical.zone
2023-02-08T20:02:34Z
0 likes, 0 repeats
@keifer @timhowes You know that's right.
(DIR) Post #ASTph9AdhJfkjm86qm by timhowes@mastodon.social
2023-02-08T20:07:23Z
0 likes, 0 repeats
@keifer @tek Unfortunately, the recent LastPass compromise involved direct access to the encrypted vaults in cloud storage, bypassing web-based login and 2FA. So, those compromised vaults are really only protected by the strength of the master password.
(DIR) Post #ASTrCWyRLcENUcx7gm by acyberexpert@freeradical.zone
2023-02-08T20:24:20Z
0 likes, 0 repeats
@tek Looks good!Good one, @yubico
(DIR) Post #ASTrhdDgAy0LqCuW7E by keifer@freeradical.zone
2023-02-08T20:11:37Z
0 likes, 0 repeats
@timhowes @tek I listened to this being discussed on a Podcast, was shocked. I would have assumed the 2FA was final step. But surprised to find out the master password was the key to the encryption (as I understood it)
(DIR) Post #ASTrhdpbtwLVjqeoEq by timhowes@mastodon.social
2023-02-08T20:16:33Z
0 likes, 0 repeats
@keifer @tek With 2FA on, you ensure that, even if someone gets access to your password, they wonât be able to log in to the LastPass website and get access to your vault. But if theyâve already obtained the vault file directly from LastPassâs internal storage, then they only need the password to decrypt it.
(DIR) Post #ASTrheRtbayFeaZNui by tek@freeradical.zone
2023-02-08T20:29:57Z
0 likes, 0 repeats
@timhowes @keifer Ah, yeah. For clarity, I assume that anyone who wants to can ready every username/password in LastPass. Maybe that's not true, but for safety I'd assume so. A hardware key wouldn't stop them from accessing a particular user's u/p stores. It *would* stop them from using those hacked creds from logging into any services that were protected by hardware 2FA.
(DIR) Post #ASTrs6NMd2NNABQuoa by tek@freeradical.zone
2023-02-08T20:31:50Z
0 likes, 0 repeats
@timhowes @keifer For instance, if you have hardware 2FA on your Gmail account, hackers can't access it without your key, even if they have the password. You'd still want to change the password, but it wouldn't be *as* urgent as if it was unprotected. You could change it at your convenience rather than in a race with the attackers.
(DIR) Post #ASTs63Fp21JLXHYbeS by tek@freeradical.zone
2023-02-08T20:34:15Z
0 likes, 0 repeats
@yojimbo For sure! Here it's like, "yep, that there's a YubiKey."
(DIR) Post #ASTsa6nwOcZ5Eaqeyu by timhowes@mastodon.social
2023-02-08T20:39:44Z
0 likes, 0 repeats
@tek @keifer Yes, good point. In that case, your Gmail would still be protected.